twingall1
-
Posts
8 -
Joined
-
Last visited
Kudos
-
twingall1 gave kudos to Marcos in Threat Found after reboot (BH/GenKryptic.1); in unknown file that powershell tried to access: CANNOT DELETE!
Please provide:
1, Microsoft_Framework.js
2, Logs collected with ESET Log Collector (select Threat detection from the menu)
Also move Microsoft_Framework.js to a separate folder (e.g. c:\eset), reboot the machine and see if the detection continues. Do not delete any suspicious files until we instruct you.
-
twingall1 gave kudos to Marcos in Threat Found after reboot (BH/GenKryptic.1); in unknown file that powershell tried to access: CANNOT DELETE!
Delete also HKCU\SOFTWARE\Microsoft\Mircosoft. It's just a benign blob that the PowerShell script reads, decrypts and loads. After decryption, it's detected as @Backdoor.MSIL/Agent.DAK, most likely with the detection added in 2016.
-
twingall1 gave kudos to Marcos in Threat Found after reboot (BH/GenKryptic.1); in unknown file that powershell tried to access: CANNOT DELETE!
You can delete it. The file is benign unless decrypted and run, however, it would be detected at this point. We are also going to add a detection for the PowerShell script that reads data from the file and runs the code after decryption.
